The problem of detecting malicious and unwanted software has become increasingly challenging. Antivirus software installed on end hosts in an organization is the de-facto tool used to prevent malicious and unwanted software, files, and data (henceforth referred to as ‘unwanted files’) from being downloaded, opened, accessed, or executed. While a single antivirus engine may be able to detect many types of malware, 0-day threats and other obfuscated attacks can frequently evade a single engine. Instead of running complex analysis software on every end host, this disclosure contemplates that each end host run a lightweight agent to acquire files and data entering a system and send that information to an ‘in-cloud’ network service for analysis by multiple heterogeneous detection engines in parallel. Analysis results are used to automatically delete, quarantine, disable, or warned users and administrators about unwanted or malicious software and files on end hosts. The statements in this section merely provide background information related to the present disclosure and may not constitute prior art.